The CryptoPrevent application has a field to add programs that might be need to be whitelisted. It already comes with known programs whitelisted but you can add others as you see fit.
Yup. Or Bit Dender Anti-CryptoLocker. These keep out the trojan ransomware in different ways and they complement each other. The former sets policy restrictions on what can run in data folders and the latter looks for suspicious processes that might attempt to run there and blocks/terminates them before they can execute.
Yes, similar can be achieved by putting Eset's HIPS in interactive mode. In that case Eset will monitor program executions and alert you of new, unknown processes.
CryptoLocker creeps lure victims with fake Adobe, Microsoft activation codes. http://www.theregister.co.uk/2014/01/02/cryptolocker_worm/
Anyone have any experience with Bitdefender's Anti-CryptoLocker? http://www.softpedia.com/get/Antivirus/Removal-Tools/Bitdefender-Anti-CryptoLocker.shtml
hi how can make a rule like this? eset does alert to every processes and not only about new and unknown processes thanks
Cryptolocker scrambles eight years of data belonging to US town hall. http://www.cso.com.au/article/535221/cryptolocker_scrambles_eight_years_data_belonging_us_town_hall/
hi i read the tutorial _http://www.mechbgon.com/srp/ for me it's just a bit confusing may i know which folders should i block?
If you want to go with blacklisting method, see here: https://www.wilderssecurity.com/showpost.php?p=2321701&postcount=68 Mechbgon's guide is whitelisting/default-deny mode, which I consider to be more secure and easier to configure. Basically, if you don't install apps in custom folders, then it should be only two or three: - Windows folder - Program Files folder - Program Files (x86) folder, if you're on 64-bit You can get even tighter by only allowing specific apps folders, or even hash rules for certain executables. But for the hash rules, it'd be very cumbersome for day to day usage since you'll need to recreate the rules for allowed apps if you updated the software version.
New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger http://www.tripwire.com/state-of-se...-cryptolocker-variant-spread-yahoo-messenger/
Still targets the %AppData folder. Securing it prevents the malware from being executed there. Best practice is to scan all received files and to have Windows show file extensions, which are normally hidden by default. It goes without saying don't download attachments from any one you don't know or that you weren't expecting.
Hey everyone, just wanted to let you know Rollback Rx can protect you from this nasty thing and its variations. Check out this post: http://www.horizondatasys.com/en/cryptolocker_removal_and_protection.ihtml
Rollback RX is an image recovery software. CryptoLocker would be able to only overwrite all files and shadow copies on the date it was installed. You can revert to an earlier point in time with Rollback RX and the malware is gone and all your files should still be there before CryptoLocker encrypted them.
I thought Rollback RX is a snapshoting software? Although it's still better than Windows' system restore, I prefer to use a real drive imaging software personally.
The snapshots are backup images of your operating system that are saved to RB's MB directory. At boot, even if Windows fails to boot, you can still restore Windows from RB's boot console by selecting a date you knew it would boot. It beats having to do a reformat and reinstall.
Rollback RX can best be thought of as a magician. Something that makes you see what you want to see. It plays sleight of hand with the sector/filemaps of a disk. When you make a change to the disk (like writing a file), it keeps record of the changes and assigns them to a snapshot (point in time). RBRX then "presents" the right sectors belonging to a point in time to Windows every single time disk operations are done. This can consist of "old" sectors and "new-in-a-snapshot" sectors. A map overlayed on a map. I believe RBRX would work in your favor against cryptolocker, though I have not personally tested it in such an environment. RBRX is really ahead of its time and not yet implemented correctly.
RB is a kind of a sandbox container for Windows - on another level it works like Sandboxie - only far more effectively at the boot/MBR level. Malware that infects the RB snapshot file exists only in that file. When you rollback to an earlier date, the malware infection is reversed like it never existed. Once you rollback, you can then delete the infected snapshot and poof - the malware is gone forever! Its a way of staying ahead of the evolution of malware because it provides a layer of protection Windows can't. As a result - if you do mess up Windows, you don't have to spend hours recovering from a Windows compromised by human error. AV is reactive, it can protect only after the fact. RB can protect before something happens by restoring Windows to its last good woring state.